X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=955e143586017a63b3acdfa1590f17cafced6624;hp=3e6ed3119d141ec335a2fdfd86aaf1ea31ece163;hb=62af314a96068a16311be6e04788fb51bc66855b;hpb=ab652a80189a1498caba8c7f3f2641affe9ec3bf

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 3e6ed31..955e143 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -6,6 +6,7 @@ use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
 use Net::SSLeay;
+use Net::IP;
 use MIME::Base64;
 use Digest::SHA;
 use Digest::HMAC_SHA1;
@@ -317,6 +318,7 @@ sub remote_viewer_config {
     my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
     $cacert =~ s/\n/\\n/g;
 
+    $proxy = "[$proxy]" if Net::IP::ip_is_ipv6($proxy);
     my $config = {
 	'secure-attention' => "Ctrl+Alt+Ins",
 	'toggle-fullscreen' => "Shift+F11",
@@ -356,17 +358,36 @@ sub check_user_enabled {
 
     return 1 if $data->{enable};
 
-    return 1 if $username eq 'root@pam'; # root is always enabled
-
     die "user '$username' is disabled\n" if !$noerr;
  
     return undef;
 }
 
+sub verify_one_time_pw {
+    my ($usercfg, $username, $tfa_cfg, $otp) = @_;
+
+    my $type = $tfa_cfg->{type};
+
+    die "missing one time password for Factor-two authentication '$type'\n" if !$otp;
+
+    # fixme: proxy support?
+    my $proxy;
+
+    if ($type eq 'yubico') {
+	my $keys = $usercfg->{users}->{$username}->{keys};
+	yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
+    } elsif ($type eq 'oath') {
+	my $keys = $usercfg->{users}->{$username}->{keys};
+	oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits});
+    } else {
+	die "unknown tfa type '$type'\n";
+    }
+}
+
 # password should be utf8 encoded
 # Note: some pluging delay/sleep if auth fails
 sub authenticate_user {
-    my ($username, $password) = @_;
+    my ($username, $password, $otp) = @_;
 
     die "no username specified\n" if !$username;
  
@@ -390,6 +411,11 @@ sub authenticate_user {
     my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
     $plugin->authenticate_user($cfg, $realm, $ruid, $password);
 
+    if ($cfg->{tfa}) {
+	my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($cfg->{tfa});
+	verify_one_time_pw($usercfg, $username, $tfa_cfg, $otp);
+    }
+
     return $username;
 }
 
@@ -669,10 +695,10 @@ sub userconfig_force_defaults {
 	$cfg->{roles}->{$r} = $special_roles->{$r};
     }
 
-    # fixme: remove 'root' group (not required)?
-
-    # add root user 
-    $cfg->{users}->{'root@pam'}->{enable} = 1;
+    # add root user if not exists
+    if (!$cfg->{users}->{'root@pam'}) {
+	$cfg->{users}->{'root@pam'}->{enable} = 1; 
+    }
 }
 
 sub parse_user_config {
@@ -682,11 +708,8 @@ sub parse_user_config {
 
     userconfig_force_defaults($cfg);
 
-    while ($raw && $raw =~ s/^(.*?)(\n|$)//) {
+    while ($raw =~ /^\s*(.+?)\s*$/gm) {
 	my $line = $1;
-
-	next if $line =~ m/^\s*$/; # skip empty lines
-
 	my @data;
 
 	foreach my $d (split (/:/, $line)) {
@@ -698,7 +721,7 @@ sub parse_user_config {
 	my $et = shift @data;
 
 	if ($et eq 'user') {
-	    my ($user, $enable, $expire, $firstname, $lastname, $email, $comment) = @data;
+	    my ($user, $enable, $expire, $firstname, $lastname, $email, $comment, $keys) = @data;
 
 	    my (undef, undef, $realm) = PVE::Auth::Plugin::verify_username($user, 1);
 	    if (!$realm) {
@@ -730,6 +753,8 @@ sub parse_user_config {
 	    $cfg->{users}->{$user}->{email} = $email;
 	    $cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment;
 	    $cfg->{users}->{$user}->{expire} = $expire;
+	    # keys: allowed yubico key ids or oath secrets (base32 encoded)
+	    $cfg->{users}->{$user}->{keys} = $keys if $keys; 
 
 	    #$cfg->{users}->{$user}->{groups}->{$group} = 1;
 	    #$cfg->{groups}->{$group}->{$user} = 1;
@@ -875,7 +900,8 @@ sub write_user_config {
 	my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
 	my $expire = int($d->{expire} || 0);
 	my $enable = $d->{enable} ? 1 : 0;
-	$data .= "user:$user:$enable:$expire:$firstname:$lastname:$email:$comment:\n";
+	my $keys = $d->{keys} ? $d->{keys} : '';
+	$data .= "user:$user:$enable:$expire:$firstname:$lastname:$email:$comment:$keys:\n";
     }
 
     $data .= "\n";
@@ -1118,14 +1144,19 @@ sub yubico_compute_param_sig {
 }
 
 sub yubico_verify_otp {
-    my ($otp, $api_id, $api_key, $proxy) = @_;
+    my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_;
+
+    die "yubico: missing password\n" if !defined($otp);
+    die "yubico: missing API ID\n" if !defined($api_id);
+    die "yubico: missing API KEY\n" if !defined($api_key);
+    die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/; 
 
-    die "yubicloud: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48);
+    die "yubico: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48);
 
     # we always use http, because https cert verification always make problem, and
     # some proxies does not work with https.
 
-    my $url = 'http://api2.yubico.com/wsapi/2.0/verify';
+    $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
     
     my $params = {
 	nonce =>  Digest::HMAC_SHA1::hmac_sha1_hex(time(), rand()),
@@ -1174,14 +1205,54 @@ sub yubico_verify_otp {
     if ($api_key) {
 	my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
 	$vsig = uri_unescape($vsig);
-	die "yubicloud: result signature verification failed\n" if $rsig ne $vsig;
+	die "yubico: result signature verification failed\n" if $rsig ne $vsig;
     }
 
-    die "yubicloud auth failed: $result->{status}\n" if $result->{status} ne 'OK';
+    die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK';
 
-    $result->{publicid} = substr(lc($result->{otp}), 0, 12);
+    my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12);
+
+    my $found;
+    foreach my $k (PVE::Tools::split_list($keys)) {
+	if ($k eq $publicid) {
+	    $found = 1;
+	    last;
+	}
+    }
+
+    die "yubico auth failed: key does not belong to user\n" if !$found;
 
     return $result;
 }
 
+sub oath_verify_otp {
+    my ($otp, $keys, $step, $digits) = @_;
+
+    die "oath: missing password\n" if !defined($otp);
+    die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/; 
+
+    $step = 30 if !$step;
+    $digits = 6 if !$digits;
+
+    my $found;
+
+    my $parser = sub {
+	my $line = shift;
+
+	if ($line =~ m/^\d{6}$/) {
+	    $found = 1 if $otp eq $line;
+	}
+    };
+
+    foreach my $k (PVE::Tools::split_list($keys)) {
+	# Note: we generate 3 values to allow small time drift
+	my $now = localtime(time() - $step);
+	my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+	eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
+	last if $found;
+    }
+
+    die "oath auth failed\n" if !$found;
+}
+
 1;